Sunday, 15 June 2014

Security Hardening with Clustered Data ONTAP's Firewall

Note: This post is
written with CDOT 8.2.1 in mind.

Introduction

Amongst the many new features in Clustered ONTAP over
Data ONTAP Operating in 7-Mode, is the presence of an inbuilt firewall, and it’s
presence leads on to previously unaskable questions about how to best use it
for security hardening in environments where this is of interest.

The services the firewall policy can block/allow (out of
the box) are:

::>
system services firewall policy create -service

dns http
https ndmp ntp
rsh snmp ssh
telnet

dns: Needs to
be allowed if you’re using CDOT On-Box DNS Load-Balancing and LIFs need
to be able to listen for DNS requests. Otherwise it can be denied. Note: For thoroughness, have tested with DNS
denied, and normal external DNS services work fine.

https: For
OFFtap products that leverage ONTAPI, and also to get to the logs via https://CLUSTERNAME/SPI!

http: Only if
https does not function!

ndmp: If
you’re using a backup/restore application that leverages NDMP (this includes
OnCommand Unified Manager 6.1 - something I hope to blog about at a later
date), then you need to allow ndmp.

ntp: Traditionally
- “in a NetApp HA pair there is a cluster
time daemon, where one filer is the master and the other slave, and the slave
will only directly communicate with the time server when the cluster
interconnect is down or clustering has been disabled.” One I’m not totally
sure about, I’d leave it allowed!

rsh: For
management over RSH (default is denied.)

snmp: This
should be allowed if using a management/monitoring solution that polls
the CDOT nodes with SNMP (OCUM 6.1 uses ONTAPI), otherwise it can be denied.
Note: In a switched Cluster, the Cluster
Nodes poll the switch for health information using SNMP - this is outbound
communication though.

ssh: For
management over SSH.

telnet: For
management over telnet (default is denied.)

Note: If you enter
diag privilege level, additional firewall services can be created:

::> set d

::*> system services firewall policy
service create ?

-service {text} *Service Name

-protocol {protocol} *Protocol

-port {integer},… *Ports

Firewall
Policies

To view the firewall polices:

::>
system services firewall policy show

There are four default firewall policies:

::>
system services firewall policy show -policy ?

cluster
{used by default for cluster LIFs}

data
{used by default for data LIFs }

intercluster
{used by default for intercluster LIFs}

mgmt
{used by default for node-mgmt and cluster-mgmt LIFs}

And the purpose of all 5 LIF roles:

::>
network interface create -role ?

cluster Used for communication using the
private cluster network

data Used for communicating with file
service clients

node-mgmt Used by administrators to configure the
node

intercluster Used for communication with a different
cluster

cluster-mgmt Used by administrators to configure the
cluster

What Is Allowed
By Default

If we ignore the cluster firewall policy (since it is for the private cluster
interconnect and cluster LIFs only, and it is highly recommended not to mess
with this private CDOT network) and just look at the allowed services, we
have:

Note: The default
configuration of allowed services is totally fine for all scenarios (especially
since this discussion would not have been possible with 7-Mode), except where
further security hardening is of interest…

My scenario is an SVM configured for CIFS (needs to get
to external DNS for Active Directory to work.) And we’re using OnCommand
Unified Manager 6.1 for GUI driven restores, hence ndmp is required (remember
OCUM 6.1 is a free management tool.) We’re not using CDOT On-Box DNS
Load-Balancing, so don’t need inbound DNS. All the devices that could possibly
communicate over https, ndmp, ntp, or ssh are on the subnet 192.168.0.0/16. So,
our firewall polices will be to allow: